RSA SecurID Hack

In March of 2011, RSA the makers of the RSA SecurID tokens that over 40 million government organizations and corporations use for their security in authenticating users, disclosed that they had been the victim of hackers.

It was believed that the hack came from two teams and was sponsored by a “nation state.” RSA’s executive chairman, Art Coviello, described the attack to ZDNet as “the stuff of a spy novel.”

The attack began with a “phishing” campaign where two groups of RSA employees were sent an email with the subject “2011 Recruitment Plan.” While the messages bounced to their junk folders, one employee became too unfortunately curious and opened the email from his junk folder.

The email that the hacker sent was decidedly low tech, with the text of the spoofed email reading: “I forward this file to you for review. Please open and view it.” The attached Excel file contained a “zero day” virus that targeted a vulnerability in Adobe Flash that allowed the hackers to install a back door into RSA.

With access to the first computer, the hackers began to steal passwords, which allowed them to pivot to other systems with access to “sensitive” data. Finally the hackers began pulling files from the systems and storing them, first on a hacked account at a hosting provider, and finally over to the hackers themselves.

Three months after the data was stolen, the hackers attempted to break into Lockheed Martin using duplicates of the stolen SecurID’s, but they were unsuccessful. Other than the loss of reputation to RSA, it is unknown what the extent of damage the hack had on other systems.

Interesting Facts:

The employees targeted were low level, but it was enough for the hackers to pivot over to systems with higher level access.